jNetPcap SDK

Welcome to jNetPcap SDK website.

jNetPcap is a software library written in Java that provides APIs (Application Programming Interface) similar to the popular libpcap native library. It allows developers to capture, analyze, and manipulate network packets within Java applications.

The library offers a convenient way to work with network traffic data, providing functionality for capturing packets from network interfaces, parsing protocols, extracting data, and performing various network analysis tasks. It provides a Java wrapper around the native libpcap library, allowing developers to utilize its features in a Java environment.

jNetPcap simplifies the process of network packet analysis and enables developers to build network monitoring, security, and analysis tools using the Java programming language. It supports a wide range of protocols and provides comprehensive functionality for working with network packets.

The software is often used in network-related applications such as network monitoring tools, packet sniffers, intrusion detection systems, and network forensic analysis tools. It provides a powerful and flexible framework for network packet analysis and manipulation within Java applications.

jNetPcap SDK is made up of several modules which provide comprehensive network processing functionality. The following is a list of the included modules as part of the SDK release:

jNetPcap Wrapper - functional native libpcap API
jNetPcap SDK - protocol specific APIs for advanced packet processing such as IP fragment reassembly, protocol dissection, stream reassembly and a lot more
Protocol packs/modules - several modules that provide specific protocol related APIs such as high level packet object representation, protocol headers, binary dissectors, state and analysis data/descriptors
- Core protocols - a base module providing support for common network protocols and the protocol API
- Web, Telco and many other protocol family specific protocol packs

Version Requirements

jNetPcap Wrapper is built using Java's Foreign Function & Memory API, which evolved significantly between JDK releases. To accommodate JDK 21 LTS support, we maintain two parallel versions:

Main Release (e.g., 2.3.1)
- Requires JDK 22 or higher
- Uses stable Foreign Function & Memory API
- Recommended for new projects
JDK 21 LTS Release (e.g., 2.3.1+jdk21)
- Requires JDK 21 with preview features enabled
- Uses preview Foreign Function & Memory API
- Suitable for LTS environments

Both versions maintain feature parity, with the only difference being the underlying JDK API usage. Version numbers stay synchronized (e.g., 2.3.1 and 2.3.1+jdk21) to make it clear which releases correspond to each other.

To find the examples hoststed here as well as many downloadable packages and source, please visit our source code repository at www.github.com/slytechs-repos.

> Demonstration

We have lots of examples but here is a quick demonstration of how to read all of the packets from a PCAP capture file, reassemble all IP fragments and print each reassembled packet's contents to the system console.

The above example will reassemble 7 IP fragments for the original ICMP message that was 9000 bytes. The original IP fragments are discarded after they are used in reassembly so we end up with a single IP datagram containing the original ICMP message, at full original length.

IPF reassembler is a powerful jNetPcap Processor, that can be configured to meet your specific needs. You can choose to pass through original IP fragments, set timeout parameters for missing fragments, and adjust IPF table sizes.

Here are some of the options that are available for configuring IPF reassembler:

Pass through original IP fragments: This option will allow IPF reassembler to pass through original IP fragments without reassembling them. This can be useful for debugging or for applications that need to handle fragmented packets.
Timeout parameters for missing fragments: This option allows you to set the timeout parameters for missing fragments. This will determine how long IPF reassembler will wait for a missing fragment before giving up.
IPF table sizes: This option allows you to adjust the size of the IPF tables. This can be useful if you are dealing with a large number of IP fragments.

The output generated by the above example is as follows:

> Pcap 1-liner

Or as close as we can get to a single line of code if we do not have to enable any of the more advanced features such as IpfReassembler, PacketPlayer, DataObfuscator, etc. This is technically the shortest 100% correct pcap code you can write, that reads all packets from a capture file and still performs the following steps:

Open a capture file
Read all of the packets
Dissects and prints full details about every header and protocol attribute for each packet
Close the capture file

Note: pcap.dispatch(System.out::println) uses method reference aka lambda expression pcap.dispatch((Packet packet) -> System.out.println(packet.toString())

Generates the following output:

> Note on legacy jNetPcap v1!

If you are looking for the old website that was dedicated to jNetPcap version 1, it has been archived and is currently offline. You can still find the old software at either www.sourceforge.net/projects/jnetpcap or a clone on GitHub www.github.com/slytechs-repos/jnetpcap-legacy

Archived v1 website: www.jnetpcap.com/legacy